How to delete Win32.AutoIt - Removal tool, fix instructions

Name: Win32.AutoIt

Aliases: Win32.Worm.AutoIt, Worm.AutoIt

Type: Worm

Size: The size of infected files may vary from 220KB to 275KB.

First appeared on: November 20, 2006

Damage: Medium

Brief Description: This worm creates copies of itself on local disks and write-accessible removable disks. It is a Windows PE EXE file. It is packed using UPX.

Visible Symptoms: The worm copies its executable file to the root of all write-accessible removable disks under the following name: New Folder.exe

The virus also drops the following malicious files:

%Windows%\RVHOST.EXE [Copy of itself]
%System%\RVHOST.EXE [Copy of itself]

Technical description: When launching, the worm copies its executable file to the Windows system and root directories:

%WinDir%\RVHOST.exe
%System%\RVHOST.exe

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "%System%\RVHOST.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe RVHOST.exe"

The worm copies its executable file to the root of all write-accessible removable disks under the following name: New Folder.exe

The worm also recursively copies its executable file to all folders on removable disks. The copies of the worm will have the same name as the folder they have been copied to with an “.exe” extension.

The worm creates the following system registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools = 1
DisableTaskMgr = 1

By doing so, it prevents the registry editing tool and Task Manager from being launched.

The worm also terminates processes relating to some antivirus and firewall solutions.

Propagation: Win32.AutoIt may arrive on a system as a downloaded file from a malicious Web site. It may also be dropped by another malware.

Removal instruction:
  1. Terminate the worm process by entering the following command in the command line:
    taskkill /IM RVHOST.exe
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Execute the following commands in the command line in order to activate the registry editor and Task Manager:
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools
  4. In order to confirm that the parameters should be deleted, answer "y" and press Enter.
  5. Delete the following system registry key value:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo Messengger" = "%System%\RVHOST.exe"
  6. Revert the modified registry key value to the following value:
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Shell = "Explorer.exe"
  7. Delete the following files:
    %WinDir%\RVHOST.exe
    %System%\RVHOST.exe
  8. Delete all copies of the worm from removable disks.
  9. Update your antivirus databases and perform a full scan of the computer.